This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key feature or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.
Directory services (DS's) are used by organizations to store and organize information about users and computer resources distributed throughout their networks. This information is represented to users of the directory service as nodes on a hierarchy. Each node is an instance of an object class; object classes comprise at least a collection of attributes and the data types of the attributes. Values may be stored in the attributes; certain attributes may require a value to be stored whereas others permit a value to be stored. The schema of a DS is the definition of the object classes and associated attributes.
By way of example, a user may be represented in a DS as an instance of the object class “user.” This object class lists a collection of attributes that describe a user, such as “sn” which holds the surname of the user and “mobile” which holds the primary mobile phone number of the user. Each type of user or resource is represented in the DS as an instance of an object class.
DS's are used by software applications for a variety of purposes. Frequently, DS's are used for user authentication purposes. When a user enters a username and password into an application, the application may communicate with the DS to assure that the user's password is correct and that the user has sufficient privileges to run the application. DS's may also be used to administer and control access to and use of resources, such as file systems or prints.
Many modern directory services are based on the Lightweight Directory Access Protocol (LDAP). LDAP provides a hierarchical storage model to maintain information about users, computers and other entities. A common commercial directory service used by organizations is Active Directory® (“AD”), produced the Microsoft Corporation.
DS administrators are often reluctant to make schema modifications or to allow any other changes to be made that might affect the integrity of important directory service objects. There are several reasons for this reluctance. Schema modifications are frequently difficult to “undo” if anything goes wrong during the modification process. Poorly designed modifications can also impact DS performance. External dependencies may not be known and/or may be difficult to change. DS administrators might also be reluctant to allow applications to modify important data as may be found in “user” object instances. Software defects might accidentally result in data corruption that could severely impact system operations.
The art has not demonstrated a satisfactory method to associate additional data with existing object instances in a DS which accommodates the reluctance of DS administrators to change schemas or important directory service objects.
Generally stated, the disclosed invention is directed to variations of a method for associating additional information or data with existing DS object instances. The variations involve creating an “Application Partition” (defined further herein). One variation creates new instances of existing object classes in the Application Partition; the additional information is stored in the attributes of the new instances of the existing object classes. The schema of the DS in this variation is not modified. Another variation involves creating new object classes with attributes tailored to store the additional information and creating instances of the new object classes in the Application Partition; the additional information is stored in the attributes of the new instances of the new object classes. The schema of the DS in this variation is modified. The variations provide bi-directional mechanisms to associate the additional information with previously existing object instances without having to modify the previously existing object instances. Under the variations, the additional data may be stored as a normal value for the chosen attribute or as a pseudo-value (defined further herein). A newly created instance may be linked to a previously existing object instance by setting a “backlink” attribute (defined further below), such as the common name attribute, of the newly created instance to have a value associated with a “partition link” attribute (defined further below) of a previously existing object instance, such as the UUID attribute.
The following detailed description refers to the accompanying drawings. The same reference numbers in different drawings identify the same or similar elements. The following detailed description is for the purpose of illustrating embodiments of the invention only, and other embodiments are possible without deviating from the spirit and scope of the invention, which is limited only by the appended claims. Certain of the figures are labeled with terms associated with specific software applications or categories of software applications. The labels and the following discussion use these terms and related terms as examples and not as limitations. Equivalent functions may be provided by other software applications operating on general and/or specialty purpose devices. Thus, references in this document to a browser, a webserver, a directory service, or a database should be understood to describe any software application providing similar functions, operating on suitable hardware for such software application, and provided with suitable communication facilities. References to a “network” shall be understood to describe any suitable network capable of providing communication between the other components, such as but not limited to the Internet. The components depicted in the figures represent function groups; it should be understood that such function groupings need not exist as discrete hardware devices or software applications and that the functions described as occurring within, comprising, or being provided by a grouping may be provided within or by common or separate physical and/or logical hardware devices and software applications. The components within and comprising any of the function groupings may be regrouped in other combinations and certain of the functions and/or steps may be omitted or re-ordered without deviating from the spirit of the disclosed invention.
Depicted is computer 102.4, which comprises a memory structure and processor configured with and executing a Directory Service 110. Also depicted is computer 102.1, which comprises a memory structure and processor configured with users 102.1.01, a registry 102.1.02, and executing application and non-application processes 102.1.03. Also depicted is computer 102.2 which comprises a memory structure and processor configured with and executing an application process 104. Also depicted is computer 102.3 which comprises a memory structure and processor configured with and executing a file system 106. The computers 102.1 through 102.3 and the users thereof and the processes being executed thereby may utilize the Directory Service 110 for various services, such as authentication and authorization, data storage and other services.
The Directory Service 100 is depicted as comprising a schema 110.01. The schema comprises the set of object classes which are allowed to have instances in the Directory Service 100. The object classes comprise a name for the object class as well as attributes and the data types of the attributes. The schema may define that attribute values may be allowed or required and that attributes may be allowed to have no value, a single value, or multiple values. The data types of the attributes may specify, for example, that data stored as a value of an attribute be an ASCII string of a certain length, binary digits occupying a certain number of bits, a hexadecimal value, that it be big or little endian, that the value occupy a fixed or a variable memory allotment, that the value contain a date, a telephone number, an email address, etc. In this example, ObjectClass1, 110.01.01, has Attributes1 while ObjectClass2, 110.01.02, has Attributes2. Attributes1 and Attributes2 may be entirely, partially, or not at all co-extensive. The Directory Service 100 is depicted as comprising object instances which may occur anywhere in the directory structure 110.02. Such object instances in this example comprise ObjInstance1, 110.04, which has a common name attribute of “nodename1,” a UUID attribute set to UUID1, and one or more other attributes with values of Value1 and Value2. Such object instances in this example further comprise ObjInstance2, 110.06, which has a common name of “nodename2,” a UUID set to UUID2, and one or more other attributes with values of Value3 and Value4. It should be noted that sequential numbering of these features is for convenience and the purpose of example only and that the values do not necessarily have to be different, the same, nor that values even need be present. It should also be noted that “UUID” stands for “Universally Unique Identifier” and should generally be understood in this disclosure to be synonymous with “GUID” or “Globally Unique Identifier.” It should also be noted that “UUID” and “common name” or “CN” may be referred to herein without necessarily being identified as an attribute.
Also depicted in
The OAL 210.12 and/or the transcoding processes 210.12.01 may further be comprise instructions to search for corresponding backlinks and partition links (discussed further below), to obtain values from attributes associated with identified object instances, to perform reverse transcoding on obtained values, to combine obtained values (whether in a native format or following a reverse transcoding process) from one or more object instances, and to properly format the obtained and/or combined values as data and to return such data as one or more unified data structures.
The OAL 210.12 and the transcoding processes 210.12.01 may be provided by hard-coded instructions and/or by a table which comprises such instructions in the form of regular expressions or similar programming techniques. The transcoding and conversion of attribute values may be as simple as noting that a “fax number” attribute be handled as a “phone number” or as complex as a multi-stage compression algorithm; for performance reasons, the transcoding and conversion may be chosen to be computational efficient, such as a mask.
Step 408 depicts a decision junction in which it is decided whether or not the schema for the DS will be modified to accommodate the Additional Data, such as through the addition of a new object class, such as ObjectClassn, or through the modification of an existing object class, such as the modification of ObjectClass2 with Attributes2 110.01.02 to be ObjectClass2 with attribute set Attributes3 210.01.02. If the schema is to be modified, then at step 410, if the new object class has not yet been created to contain the Additional Data in its instances, then a new object class, ObjectClassn, is created with attributes which match or are at least compatible with the data type(s) of the Additional Data, such as the new object class ObjectClassn 210.01.03 discussed above; alternative to creating a new object class, an existing object class could be modified to include attribute(s) which match or are at least compatible with the data type(s) of the Additional Data, such as the modified object class ObjectClass2 210.01.02. If the schema is not to be modified, then at step 412, if an existing object class has not yet been selected to contain the Additional Data in its instances, then an existing object class is selected which has attributes which match or are at least can be made compatible with the data type(s) of the Additional Data (compatibility being provided, for example, by the OAL 210.12 and/or the transcoding process 210.12.01). When creating a new object class, the DS administrator may have greater flexibility to assign an attribute set to the new object class, which attribute set matches the data type(s) of the Additional Data; however, it may be possible to nonetheless create a new object class with an attribute set which is merely compatible with the data type(s) of the Additional Data, meaning that the values found associated with the attributes in a specific object instance may be converted by the OAL 210.12 and/or the transcoding processes 210.12.01, as described above.
At step 414, a new object instance, ObjInstance3, 210.10, is created in the Application Partition. At step 416, the backlink for ObjInstance3 is set to be the same as the UUID of ObjInstance1, which was identified at step 404 as UUID1. The backlink is an attribute of an object instance in the Application Partition which is known to the OAL 210.12 and/or the transcoding process 210.12.01 to be a backlink; in this disclosure, the backlink attribute may be the common name attribute, though in another embodiment a different attribute may be used as the backlink without necessarily changing the function of the backlink. “Backlink” and “common name” may be used interchangeably in this disclosure when the value of the “common name” attribute is equal to the value of a partition link. In the example here, the common name of ObjInstance3 is set to be UUID1. Step 404 could be performed at any time prior to step 416. Step 418 depicts an optional step wherein the Additional Data is transcoded as described above; such transcoding may be performed by the OAL 210.12 and the transcoding processes 210.12.01. Step 420 depicts then setting some or all of the value(s) of the attributes of ObjInstance3 to be the values of the Additional Data; certain of such values may be transcoded pseudo-values. By adding the Additional Data to object instances in the Application Partition, the existing DS—outside of the Application Partition—may remain unmodified; by adding the Additional Data to an existing object class as pseudo-values, even the DS schema remains unmodified.
At step 504, a decision junction depicts determining whether the object instance ObjInstancen is in the Application Partition. If the object instance is in the Application Partition, then at step 506 the value of the backlink of the object instance is obtained. In this example, the object instance had been found at step 502 to be ObjInstance3, the backlink in the Application Partition is the common name, and the common name in this instance was found to be UUID1. Obtaining the value of the backlink of the object instance may include reverse transcoding the value. At step 508, the Additional Data is obtained from the attributes of ObjInstance3. At step 510, the partition link values (the UUID's in this example) of other nodes are searched for the common name or backlink value which was identified at step 506; in this example, the search is for UUID, which is the common name and backlink value of ObjInstance3.
A decision junction 512 represents this possibility that the backlink value (in this example the common name of ObjInstance3, UUID1) for the object instance in the application partition may or may not be found. If the backlink is not found, then at step 513 the object instance in the application partition, ObjInstance3, is tagged as an orphan, in the sense that an object instance with a backlink has been found in the application partition which does not have a corresponding object instance outside of the application partition with a matching partition link. Object instances which are tagged as orphans may be deleted, may be ignored, and/or may be sent for further analysis by other processes or people. If the backlink value or common name, UUID, for the object instance is found in the UUID's of other object instances outside of the Application Partition, then step 514 depicts a step of identifying the corresponding object instance, in this example ObjInstance1. Step 516 then depicts an optional step of obtaining data from the attributes of ObjInstance1.
If at decision junction 504 the ObjInstancen was found to be ObjInstance2 and was thus not found to be in the Application Partition, then step 524 depicts getting the partition link value (in this example, the UUID) for ObjInstance2, which in this example is UUID2. Step 526 depicts getting data from the attributes of ObjInstance2. Step 528 depicts searching the backlinks (in this example, the common names) of nodes in the Application Partition for the partition link value, UUID2; in this example, such a search identifies ObjInstance3. Step 530 depicts getting Additional Data from the attributes of ObjInstance3.
Step 518 depicts optionally transcoding the Additional Data which was obtained from the attributes of ObjInstance3. The transcoding may comprise processing the Additional Data according to the transcoding processes 210.12.01, discussed above. Step 520 depicts combining the Additional Data obtained from ObjInstance3 and the data from ObjInstance1 or ObjInstance2 and/or formatting it as a unified data structure responsive to the call of step 500, which combining and/or formatting may be performed by the transcoding processes 210.12.01, discussed above. Step 522 then depicts returning the Additional Data and the data to the process which made the call of step 500.
Computing device 600 includes one or more communication connections 608 that allow computing device 600 to communicate with one or more computers and/or applications 609. Device 600 may also have input device(s) 607 such as a keyboard, mouse, digitizer or other touch-input device, voice input device, etc. Output device(s) 606 such as a monitor, speakers, printer, PDA, mobile phone, and other types of digital display devices may also be included. These devices are well known in the art and need not be discussed at length here.
Additionally, device 600 may also have other features and functionality. For example, device 600 may also include additional storage (removable 604 and/or non-removable 605) including, but not limited to, magnetic or optical disks or tape. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Memory 603, removable storage 604 and non-removable storage 605 are all examples of computer storage media. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by device 600. Any such computer storage media may be part of device 600.
This application claims priority to copending provisional application titled, “Extending Existing Data within a Directory Service,” Ser. No. 60/867,564, filed on Nov. 28, 2006.
Number | Date | Country | |
---|---|---|---|
60867564 | Nov 2006 | US |